Overview

overview

9

Static

static

7

modest-menu.exe

windows10-1703-x64

9

Analysis

  • max time kernel
    60s
  • max time network
    64s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-03-2023 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    modest-menu.exe

  • Size

    15.3MB

  • MD5

    af6b000cca334405709a7a45f07b1788

  • SHA1

    57c2502d8ca01a6da5b7ab4e61f857e9e0fd40f8

  • SHA256

    0a03f7b518d5bc76cf58e1bfaad2b6840262b494553626c3727acbb8bd70cb91

  • SHA512

    5dcfefd3dd7111fad2b96cad039a0aa3ea388d1666b20a2ada004c05658171b52b26d699b77564031960505c02cdaf440c66c2694d33ead970fe6fcd8b299b5e

  • SSDEEP

    393216:9FESY8FS6GWgq2pyqNqfMgpcbVTv1OGOSHC84uza:DESYUS6GPqqNqUvToGOSHC8w

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\modest-menu.exe
    "C:\Users\Admin\AppData\Local\Temp\modest-menu.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3372
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1120
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3620 CREDAT:82945 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3796

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
      Filesize

      4KB

      MD5

      da597791be3b6e732f0bc8b20e38ee62

      SHA1

      1125c45d285c360542027d7554a5c442288974de

      SHA256

      5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

      SHA512

      d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3BIYXXCG.cookie
      Filesize

      244B

      MD5

      a52fe0da8abc270568619c23ef6673ea

      SHA1

      8abf7e2c69ff24a5ea5262b8e4d4ac9c976bde08

      SHA256

      66888617ab1fcb737215127f05e0c8fd72f69fc7bd39caa46af15d6369c84748

      SHA512

      78804ff1e480bd926dceea04449c45e3d4526c1212901a4f209b7cf6278fe9ca1a2a2fb48f3aa5afcee07e34e00072b099a3be2516d31f359cb02429d0ae35a1

      Download Submit
    • memory/3372-121-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download
    • memory/3372-122-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download
    • memory/3372-123-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download
    • memory/3372-124-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download
    • memory/3372-125-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download
    • memory/3372-126-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download
    • memory/3372-127-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download
    • memory/3372-128-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download
    • memory/3372-129-0x00007FF656D60000-0x00007FF65935D000-memory.dmp
      Filesize

      38.0MB

      Download